This week, a group of cybercriminals lowered the ethics bar by extending their attacks on the healthcare sector, beyond providers such as hospitals and clinics, to a non-profit cancer support organization.
Little Red Door provides diagnostics, treatment, and supplies to under-served cancer patients. Sadly, this is just the latest example of hackers’ exploitation of the healthcare sector.
Last Friday, the computer systems of five hospitals in the UK’s Barts Health NHS Trust group were taken offline in response to a Trojan malware attack. Luckily, no patient data seems to have been taken, the virus has been quarantined, and most systems have since recovered from the attack (minus file-sharing). But the attacks were the latest notable reminder that legacy systems, a fragmented workforce, and inconsistent security defenses continue to put hospital cybersecurity in critical condition.
Why cybercriminals target healthcare
Last year, we saw a series of attacks on hospitals across the U.S. Hospitals have become a prime target because they usually operate legacy systems and medical devices with weak security and they have a life or death need for immediate access to information. For instance, it appears Barts Health uses the unsupported Window XP operating system.
But the trend also represents a notable shift in ransomware attackers’ focus from consumer to organizations with weak security. This new form of crime appears to be paying well. One ransomware developer posted a screenshot of his digital wallet that showed a balance of US$94 million, earned in about six months.
Why IoT medical devices pose an IT challenge
Ransomware attacks can target medical devices, which are more challenging to protect and clean up than servers and workstations. Recovering from these attacks not only includes the ransom payment but also the costs of downtime and system recovery. Some hospitals have experienced partial or complete network downtime of five to 10 days. McAfee’s Foundstone Incident Response team identified at least 19 hospital ransomware attacks during the first half of 2016, across six countries. Most of the hospitals that paid the ransom had no contingency plans for this type of event.
What we can do to protect healthcare IT systems
For Little Red Door, the organization decided not to play by the attackers’ rules, refusing to pay them, noting that its funds are intended to “help cancer patients and their families.”
For organizations, seeking to avoid such choices, we recommend the following Top 10 list for protecting healthcare systems from malware infections and prompt recovery:
- Develop an incident response plan, so that if your systems are compromised you can get back in operation quickly.
- On general-purpose devices, keep the patches up to date. Many of the vulnerabilities exploited by these attackers have patches available.
- Whitelist medical equipment to prevent unapproved programs from executing.
- Do not rely on default settings for endpoint protection. Turn on advanced endpoint protections that can block malware executables from running.
- Add or enhance your antispam filter. Most ransomware attacks use uncommon file formats, packed several levels into .zip files to evade detection, so make sure you are scanning for them.
- Block unnecessary programs and traffic. Many ransomware control servers use Tor to get their encryption key. If you can block this traffic, you can stop the encryption process.
- Use network segmentation to separate critical devices required for patient care from the general network.
- Keep backups completely disconnected from the production network, so that ransomware payloads cannot corrupt your backup data.
- Reduce or eliminate the use of local disks to store sensitive data. Secure network drives can be restored more quickly, assuming the backups are clean.
- Almost one in 10 spam messages is still being opened, so ongoing user awareness training is critically important.
To learn more about these recent hospital cyber-attacks and what you can do to protect against them, please see our McAfee Labs Threats Report: September 2016 feature on healthcare cyber-attacks.